In yet another sign that the agency is taking a tougher enforcement stance, Sentara Hospitals has agreed to pay $2.2 million to the HHS Office for Civil Rights to settle claims that it violated the HIPAA Breach Notification and Privacy rules. Sentara Hospitals, a 12-hospital acute care chain, is part of Norfolk, Va.-based Sentara Healthcare.
The hospital group’s problems began in 2017 when someone sent HHS a complaint asserting that the hospital chain had sent a bill to one patient containing another patient’s Protected Health Information. Upon investigating the matter, the OCR found that it had mailed 577 patients’ PHI to incorrect addresses. This PHI included patient names, account numbers and dates of services.
According to a piece in Modern Healthcare, the breach happened due to mistakes made by a third-party vendor which led to that vendor printing some patients’ billing information on other patients’ statements. A Sentara Healthcare spokesperson told the magazine that when it discovered the error, it immediately halted bill printing and mailing and later, let affected patients know what happened.
Where things get a little odd is that Sentara Hospitals had originally reported this event as a breach affecting only 8 individuals, as someone there apparently believed that unless the mistaken disclosures included patient diagnoses, treatment information or other medical information no reportable breach had taken place.
In what was arguably an even stranger response, the hospital system refused to report the full extent of the breach to OCR even after the agency advised the chain that it was required to do so, the agency found. It also concluded that Sentara Hospitals had never set up a business associate agreement with Sentara Healthcare.
Since the 2017 incident, Sentara Hospitals has implemented tougher quality-control processes to avoid future accidental disclosures of PHI, the spokeswoman told the publication.
As part of the settlement agreement, Sentara Hospitals agreed to a two-year corrective action plan, a standard move in such situations. Under the terms of the plan, Sentara Hospitals will develop, maintain and revise as needed a set of written policies and procedures related to notifying relevant authorities when and if unsecured PHI is breached. The organization will also report back to the OCR regularly on its progress.
The Sentara settlement represents the third time OCR has slapped a substantial fine on a healthcare organization in November alone. The agency also fined a Texas health agency with a $1.6 million fine in response to its exposure of PHI online, and imposed a $3 million penalty on the University of Rochester Medical Center when it concluded that the health system had failed to encrypt mobile devices on multiple occasions.
Also in November, the OCR announced that it was investigating a data-sharing partnership underway between Google and the Ascension health system. Are your HIPAA ducks in a row?